From: "Barry Raveendran Greene"
Is anyone seeing router impact caused by all the bogus queries sent out by Code Red? Just wondering if there could be some side effects.
We had the cpu running at 100% on our border router till we tuned the access-lists to deal with traffic to port 80 early. cheers mark --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Aug 07, 2001 at 10:36:51AM +1200, Mark Davies wrote: We had the cpu running at 100% on our border router till we tuned the access-lists to deal with traffic to port 80 early. Ouch... what kind of router? Where was all the CPU being spent? I would normally only expect something like this to create problems for a router if it happens to be unfortunate enough to have an OS that also comes with a web-server built in AND it's enabled. --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Aug 07, 2001 at 10:46:27AM +1200, Chris Wedgwood wrote: On Tue, Aug 07, 2001 at 10:36:51AM +1200, Mark Davies wrote: We had the cpu running at 100% on our border router till we tuned the access-lists to deal with traffic to port 80 early. Ouch... what kind of router? Where was all the CPU being spent? Ah... I see it now, and not that I look it's supported by comments from nanog. Looks like lots of request for hosts which don't exist (and hence never answer) cause major suckage of CPU in the ARP code on the cisco. I just did this for a couple of people: access-list 100 permit tcp any my.pr0n.server eq www access-list 100 deny tcp any any eq www access-list 100 permit ip any any int <ingress> ip access-group 100 in and that seems to help even nasty little ol' 2501s with T1s handle quite adequately. Note, if your not running IOS 12.7.57X-Roswell-blah or later, it seems it also causes you to leak memory and you might need a reboot :( Interestingly, this points to a couple of really simple DoS attacks that have nothing to do with Code Red... --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (2)
-
Chris Wedgwood
-
Mark Davies